Closed tlvu closed 1 year ago
Technically, Magpie also allows emails as "username", so there would be many more characters that can pose problem. The image name should instead consider using the user-id of that user. Security wise, that would also be a better practice to anonymize the container.
Just to be clear, the "whitelist of allowed character in username" should be configurable via config file (ex: magpie.ini
) so each org can decide for themselves if an email can be in the username field or not, for example.
In general, when a policy is decided (ex: what allowed characters for username, minimum password length, ...) it should have possible override so each org can decide for themselves.
That said, we are not blocked so this is just a nice to have feature request.
Is your feature request related to a problem? Please describe. With PAVICS, Magpie is used as the authentication source for the JupyterHub. Username created in Magpie containing a dash (
-
) or an underscore (_
) do not work with JupyterHub.Username
test_underscore
becomestest-5funderscore
and then the matching container name that has the badly escaped username is not found.To the end user, they are unable to spawn their personal Jupyter server.
test-dash
becomestest-2ddash
!This code in the DockerSpawner seems to be responsible for the too severe escaped username https://github.com/jupyterhub/dockerspawner/blob/87938e64fd3ca9a3e6170144fa6395502e3dba34/dockerspawner/dockerspawner.py#L863-L867
There is a way to use the unaltered "raw_username" direct from Magpie but then we should ensure only whitelist allowed characters is allowed at user creation in Magpie.
Describe the solution you'd like In order to prevent badly created username from the start and avoid going back and forth with the end user, is there a way to specify a list of allowed characters in username in user creation page on Magpie?
Describe alternatives you've considered We put a note to ourself to avoid dash and underscore chars but we are more than one person creating accounts so errors can still happen. And if ever we allow account self-creating, this will become a big problem for us.
Additional context JupyterHub logs showing the
test_underscore
andtest-5funderscore
mismatch: